I've retitled this thread because it is not prudent to perpetuate likely falsehoods.
While it is certainly *possible* that the Chinese (etc) might have done this, as of yet there is no evidence, and there is equal likelihood that there are other vendors whose gear could have been tampered with. In particular, I believe that there have been some concerns about Cisco, and IBM's sale of its PC and server businesses to Lenovo generated this sort of spectre-paranoia as well.
Conspiracy theories are great fun. Look at 9/11. People weave these intricate conspiracy theories that somehow, "demolition crews" wired the WTC, and the planes were military planes, and that all the victim families are lying, or that the victims are sequestered on some remote island, etc., etc., and if you start to examine the implications of any of these, it would require a cast of thousands of co-conspirators to have pulled off 9/11. I, however, am a firm believer in Ben Franklin's wisdom: "Three can keep a secret, if two of them are dead." This advises us that a large conspiracy, while not impossible, is highly unlikely.
A better conspiracy theory would be: "Dick Cheney (picked because he had sufficient power and also industry connections likely to benefit) ordered a CIA officer to approach Bin Laden with a suitcase of money and convinced him to pull off 9/11. On the way home, that officer was killed by another CIA officer who was told that the first was a traitor. 9/11 unfolded as reported by the news." This is a much BETTER conspiracy theory from a practical perspective. It makes Occam's Razor happy. However, for whatever reason, it does not please conspiracy theorists, who seem to prefer Rube Goldberg schemes.
I don't believe either one to be true, by the way.
So the thing here is, as noted above, there's no good reason for China to be modifying the hardware. ANYBODY who doesn't understand this should know that the CS world has been acutely aware of the software threat model for a long time, certainly
back to the Ken Thompson hack or earlier. That's 35 years ago, by the way, so most of today's kids think they're discovering all this stuff for the first time, but they're not.
If Bloomberg had come forward with a claim that the BMC firmware was being subverted with a "call home," I'd say "figures" and move on. Dell and HP firmware are susceptible to corruption as well. This is entirely non-shocking and to be expected, even.
It is definitely possible to do the hardware hack, but it leaves evidence, and when discovered, it would ultimately result in methods to be able to identify affected boards. It's much more plausible that one of the third-party vendors that supplies the IPMI and BMC firmware would be subverted to install some obfuscated code, which would have the bonus of not only infecting newly shipped systems, but also legacy systems that received an in-the-field firmware update.
This is something to take seriously. Not Bloomberg's crap, which should have been accompanied by proof of such a claim, which wouldn't be hard to come by if it was true. But the threat model is definitely there. Your IPMI should not be live on the Internet. It shouldn't even be able to REACH the Internet. Even giving it DNS query access provides a vector through which data could be exfiltrated from your network.
http://www.sol.net/dldns/dldns.c
Compile and run that
(It's safe. Just a download-via-DNS example that prints a message to your screen.)
